This FAQ provides guidance on extra steps you should take when setting up SBS 2011. Some sections should be evaluated while other should be done on all installs. Those items I consider mandatory are listed as All Installs.
A. Check Old Database Size and Set Registry on New Server: All Installs http://technet.microsoft.com/en-us/library/bb232092.aspx B. Enable DHCP Conflict Detection: All Installs A. Open DHCP, right click the IPv4 protocol. B. Choose properties. C. Click the Advanced tab. D. Change the number of conflict checks from zero to one. C. Discuss what computers belong to what users for RWW: All Installs Gather workstation list and setup RWW defaults. D. Discuss Implementing Restricted Groups With Customer: All Installs Enabling restricted groups allows us to restrict who is a local admin and prevents users from creating backdoor admin accounts. Any account added to a PC will be automatically deleted if it is not part of the Restricted Groups list.
To enable restricted groups:
1. Open GPMC and create and link a new GPO at the top level of the domain. 2. Edit the GPO. 3. Right click the top most link in the GPO and choose Properties. 4. Click the Security tab. 5. Remove all entries related to users. Leave Domain Admins in place. 6. Add Domain Computers and check the box for Apply policy. 7. In the list, select Domain Controllers and check the box for Deny policy. 8. Click OK 9. Right-click Restricted Groups (under Computer Configuration\Windows Settings\Security Settings\Restricted Groups), and then click Add Group. 10. Click Browse. Focused on the local computer, click the "Administrators" group, click ADD, and then click OK. You are returned to the group policy and you see the administrators group listed in the Restricted Groups window. 11. Right-click the group, and then click Security. 12. To the right side of the Members of this Group box, click ADD, and then click Browse. 13. Add the appropriate users to the group. For domain accounts use the browse button to ensure the domain name is included. For the local Administrator ID, type Administrator. Add: • UserDomain\Domain Admins • UserDomain\Domain Users (if appropriate) • Administrator E. Install Specops GPUpdate utility: All Installs This free utility lets you reboot computers and remotely push a GPUpdate from ADUC.
F. Remove Quota Limits on Public and Private Stores: All Installs Discuss with client and remove or adjust quota limits on databases.
Recommendation: Remove on public folders.
Use PowerShell to remove quotas for users before the move: get-mailbox | Set-Mailbox -UseDatabaseQuotaDefaults:$False -issuewarningQuota "UNLIMITED" -ProhibitSendQuota "UNLIMITED" -ProhibitSendReceive "UNLIMITED" G. Moving public folders and System Mailboxes 1) Assign Rights To Public Folders:
Get-MoveRequest|Select Identity, Status|FL H. Verify client IP has RDNS and SPF records: All Installs Verify client IP has RDNS and SPF records. I. Discuss ActiveSync password policies with customer: All Installs Discuss enabling passwords on cell phones. Determine if passwords will be used and modify or create new policies accordingly. J. Assign certificate to RWW sessions: All Installs A. From Administratove Tools\Remote Desktop Services select Remote Desktop Session Host Configuration.
B. Right click RDP-Tcp choose Properties.
C. On the General tab, click Select.
D. Select the public certificate and click OK two times.
E. If prompted with a notice about existing connections, click OK. If you do not do this, RWW may not be able to remote control computers from inside the domain.
K. Set max message size Discuss with client, ask what the max size they want to allow should be. Change the values in red.
Set-TransportConfig -MaxRecipientEnvelopeLimit 75MB -MaxReceiveSize 75MB -MaxSendSize 75MB L. Set the SCL level to configure Junk Mail threshold A message with SCL of 9 is likely spam A message with SCL of 0 is not spam
The default is 2. That means that anything above 2 and lower than the rejection settings (Org Config/Hub Transport/Content Filtering/Action tab) which default to 7 will be sent to the Outlook Junk Mail folder.
Use the following PowerShell command in the Exchange Management Shell.
Set-OrganizationConfig -SCLJunkThreshold 6 M. Enable Powershell Scripts: All Installs Open PowerShell. Run the following command:
Set-ExecutionPolicy Unrestricted Note: This is a security risk. Only run scripts from sources you trust. N. Create internal Autodiscover in DNS: All Installs In the MS DNS console add a new SRV record with the following:
Name: _autodiscover Protocol: _tcp Port: 443 Host: remote.clientdomain.com O. Create Autodiscover in Public DNS: All Installs 1) Log into public DNS. 2) Add a new A record called Autodiscover. 3) Point Autodiscover to the public IP address of the SBS server. Note: if DNS contains a zone for the public domain name, you must do this step internally in that zone as well, but point the IP to the internal IP address of the SBS server.
P. Virtualize Old Media: All Installs In order to remove Exchange from an SBS 2003 server, you will need to have access to SBS 2003 Disk 2. If working remotely you will need the ability to mount/change media at will. Create ISO images from original media and leave on the old server to be used during the decommission process.
Set Send/Receive As Security for Users • In ADUC, view Advanced Properties. • View properties of the SBS Users OU. • Select Security. • Add BESAdmin. • Click Advanced. • Highlight BESAdmin. • Click Edit. • Select Descendant User Objects in the drop down. • Check the boxes for SendAs and ReceiveAs. • Click OK 3 times.
Now perform a default installation of the BESExpress Software.
After BESExpress is installed, enable the Hard Deletes Setting: • Log into the BlackBerry Administration Service. • In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > Email. • Click the instance that you want to change. • Click Edit instance. • On the Messaging tab, in the Messaging options section, in the Hard deletes reconciliation drop-down list, click True. • Click Save all. • On the computer that hosts the BlackBerry Dispatcher, restart BlackBerry Dispatcher service.